From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from esa2.mentor.iphmx.com (esa2.mentor.iphmx.com [68.232.141.98]) by sourceware.org (Postfix) with ESMTPS id 265643850438 for ; Wed, 24 Feb 2021 22:37:36 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 265643850438 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=codesourcery.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=joseph_myers@mentor.com IronPort-SDR: LJlE7yetr8aAHpkOrQBLdLMgt89R0zE3pZ/uEEawSKzXdgUSJ7o6cVVbte9bbCPxeEud7KSGiR LL+s/96wM6Qd4BeDbNHQL5VANGwhm+jKomLcUCXdNKu/3pLPpbVWeQyA7aeElX4MOQMCBwEtSV FskQxB083l9FVXyiQXMo7M+xA8qyB6X8+IMT8hCetnaxpu/1RNzRXjG4GEfasyETyG/ztxbRTm eyulnufBmGfycxKQwqSuSX+IN96OCC0UAJHjOsFxpY6PYGTDwJ2YgXZkfYQXE5O3UV6y62B5HJ 208= X-IronPort-AV: E=Sophos;i="5.81,203,1610438400"; d="scan'208";a="58453595" Received: from orw-gwy-02-in.mentorg.com ([192.94.38.167]) by esa2.mentor.iphmx.com with ESMTP; 24 Feb 2021 14:37:34 -0800 IronPort-SDR: mvD+afrtlk6UtQbUTKhkO2ukBYijJ0MAqGUMXf2x4u1BstnJJzOpDcvA2s1EQPd9DpQIBae2kw VcnSMVNCutaD9IkP98cpfE9VYTU5E+MBKb/3R1k4eZX232cQaWUIuHkPeH8OoExc8Jt1OL5Jag Jaf/4CzkhVtmye66Cd33M8o6Q+CMlSYeW/EA4M5jnfR+0UEHF05LYqL86Re6XnqQFL5AfBHs6g PY4DhyWlXu7LDlVYNxQHzkQUD56670QebmGozFBa3k1QsqcsdyqAdmBZzldMC2DydMzoeMVcjS ZbI= Date: Wed, 24 Feb 2021 22:37:29 +0000 From: Joseph Myers X-X-Sender: jsm28@digraph.polyomino.org.uk To: Siddhesh Poyarekar CC: Siddhesh Poyarekar via Libc-alpha , Florian Weimer Subject: Re: 'trusted and reasonably structured' regular expressions In-Reply-To: <2152f614-0003-8dcf-f5cd-2d12c4e77e28@gotplt.org> Message-ID: References: <2152f614-0003-8dcf-f5cd-2d12c4e77e28@gotplt.org> User-Agent: Alpine 2.22 (DEB 394 2020-01-19) MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" X-Originating-IP: [137.202.0.90] X-ClientProxiedBy: svr-ies-mbx-01.mgc.mentorg.com (139.181.222.1) To svr-ies-mbx-01.mgc.mentorg.com (139.181.222.1) X-Spam-Status: No, score=-3123.0 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, SPF_HELO_PASS, SPF_PASS, TXREP autolearn=no autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Feb 2021 22:37:37 -0000 On Wed, 24 Feb 2021, Siddhesh Poyarekar wrote: > The security exceptions[1] wiki page mentions that buffer overflows and other > similar bugs will be treated as security vulnerabilities provided (well it > actually says 'assuming' but I interpreted it as 'provided') that the > offending pattern is 'trusted and reasonably well structured'. > > It appears to offload the responsibility of sanitizing regular expressions to > the caller, which seems like the responsibility of the regular expression > library. We have not rejected CVEs on this basis in the past[2] but it seems > like something we should remedy as a policy. It seems unreasonable to me to > expect users to parse regular expressions to validate them before passing them > on to the regular expression parser library. I think we should treat buffer overflows and similar (runtime undefined behavior in libc, including unbounded alloca / VLAs) as security bugs even for untrusted regular expressions. But unbounded time or memory usage (including the case of stack overflow with unbounded recursion as opposed to a single large stack allocation) should not be considered security bugs if they only arise from untrusted regular expressions and the code avoids undefined behavior (checks malloc return value, checks for overflows calculating allocation sizes, etc.). (If the code fails to check for malloc returning NULL and so has a null pointer dereference as a result of unbounded memory usage, that would be a low-priority security bug. If such an error, e.g. failing to avoid integer overflow calculating an allocation size, is more plausibly exploitable for code execution, it would be a more serious security bug.) -- Joseph S. Myers joseph@codesourcery.com